mdr @
vodka .
sse .
att .
com said:
> I prefer option 4. "place it own its own subnet."
>
> [Internet]---[FWALL]----[Company Net]---[SQL Server]
> |
> |
> [Webserver]
I'm curious about something. Why is the above map considered
better than this map:
[Internet]---[Filtering Router]---+---[Firewall]---[Company Net]
|
[Webserver]
I see maps like yours all the time, but I'm uneasy about real
routing happening on my firewall. It just seems to me like
there's potential risk in running routing software on a firewall.
Is the argument that there's more expense due to the additional
hardware? I hope we all agree that's a bogus security argument.
Otherwise, we'd just put the webserver on the firewall itself.
For that matter, until I got on this list, I had thought one
of the defining characteristics of a firewall was that it *never*
routed packets, but I keep seeing these discussions about how
to configure a firewall to not let SYN packets through...If
a firewall never routes packets, that can't happen.
Firewalls that I've built have never routed anything. Instead they
run socks and various proxies.
Chris
--
Chris Garrigues O- cwg @
DeepEddy .
Com
Deep Eddy Internet Consulting +1 512 432 4046
609 Deep Eddy Avenue
Austin, TX 78703-4513 http://www.DeepEddy.Com/~cwg/
Attachment:
pgpLAVQZMK4Ul.pgp
Description: PGP signature
References:
|
|
